Enhancement #572
closedHTTPS for All
100%
Description
For security reasons (some sites may have auth, like user-managed sites), and privacy reasons, all websites should have a redirect to HTTPS. We should also activate HSTS (but this would be handled in #571)
These sites do not have TLS at all:
./andesi/dpt.andesi.org ./andesi/guide.andesi.org ./arnau/photos.mini-dweeb.org ./arnau/wotomae.debian.net ./arnau/www.mini-dweeb.org ./clawfire/www.clawfire.net ./damien/alt.oxmoz.eu ./damien/debian.fensalir.fr ./damien/dleone.fensalir.fr ./damien/www.aldaaron.fr ./damien/www.fensalir.fr ./duck/cdbs-doc.duckcorp.org ./duckcorp/ca.duckcorp.org ./duckcorp/coin-diff.duckcorp.org ./duckcorp/dico.duckcorp.org ./duckcorp/doc.duckcorp.org ./duckcorp/photos-ng.duckcorp.org ./duckcorp/smokeping.duckcorp.org ./duck/jdr.duckcorp.org ./finger/mushdoom.lespotos.com ./finger/pyro.lespotos.com ./finger/www.clan-hnk.com ./finger/www.lespotos.com ./georgesleyeti/albums.georgesleyeti.fr ./georgesleyeti/www.georgesleyeti.fr ./georgesleyeti/www.xn--mah-dma.net ./gorou/forum.tetramorphe.org ./gorou/wiki.tetramorphe.org ./guihome/2heurespourtuer.ath.cx ./guihome/archives-clap.guihome.net ./guihome/archives.guihome.net ./guihome/photos.guihome.net ./guihome/video.guihome.net ./guihome/webcam.guihome.net ./guihome/www.collectioneuro.eu ./happypeng/live.happypeng.org ./happypeng/midtalk.happypeng.org ./happypeng/nihon.happypeng.org ./hurdfr/perso.hurdfr.org ./hurdfr/wiki.hurdfr.org ./hurdfr/www.hurdfr.org ./laura/www.laurafontaine.fr ./milkypond/tribioune.milkypond.org ./pikachu/photos.audrey-et-arnaud.org ./pikachu/www.audrey-et-arnaud.org ./valfor/mariage-cecile-yann.duckcorp.org ./xaiki/www.evilgiggle.com
Some may not be activated but these are the most affected.
Also some site may support TLS but not redirect to it, and we should spot them too.
We could also make the config more similar. I was thinking about using the httpd OSAS role but important changes are not merged and several others would be needed. We could at the moment borrow these lines to replace the RedirectMatch:
RewriteCond %{HTTPS} off RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}
It seems it would be treated as an external redirect automagically but using a temporary redirect. So maybe adding [R=permanent] flag would be better. I did not test it yet.